Are blockchains compatible with data privacy law?

There is significant uncertainty as to how European data protection rules apply to blockchain technology, according to a new study by researchers from Queen Mary University of London and the University of Cambridge.

The analysis, published in the Richmond Journal of Law and Technology, found that this uncertainty, coupled with potential heavy fines under the EU’s General Data Protection Regulation (GDPR), risks deterring European companies from innovating with blockchain.

The GDPR came into effect in May 2018 and protects individuals’ data privacy rights. As so-called ‘data controllers’, companies are responsible for respecting citizens’ rights when it comes to their personal information. For example, under the GDPR, individuals have the right to request that their personal data be corrected or deleted. By combining cryptography and distribution, blockchain makes it difficult to alter or delete information stored ‘on the chain’, which may include personal data. This has led some commentators to suggest that the technology is not compatible with GDPR.

Possible solutions

The study shows that GDPR could be potentially difficult for companies in the EU that want to use blockchain for processing personal data. Fines under GDPR can be as high as £17m, or four per cent of global turnover – whichever is highest.

However, despite such concerns, the authors found that it may be possible to design blockchain applications that are substantially compliant with GDPR requirements. In practice, blockchain applications can range from so-called ‘open’, decentralised applications like Bitcoin to ‘closed’, more centralised applications.

The authors argue that organisations and businesses could set up private blockchains which make it possible to manage the data stored on the chain in a manner that is compliant with GDPR - without compromising some of the core objectives of a secure, distributed, ledger. The researchers also found that technical solutions may enable the deletion of personal data, while maintaining the integrity of a blockchain. Promising examples include encrypting entries and then deleting the relevant decryption keys - leaving only indecipherable data on-chain - or using so-called ‘off-chain’ storage models.

Professor Christopher Millard, who leads the Cloud Legal Project at Queen Mary said: “Blockchain is by no means the first emerging technology to be branded as incompatible with privacy and other fundamental legal principles. Blockchain applications may well be disruptive, but that does not mean that they cannot be designed and deployed in a legally compliant manner.”

Co-author Dave Michels, Researcher on the Cloud Legal Project at Queen Mary, added: “Solutions like hybrid blockchains that combine public and private elements have real potential to promote data privacy. The French data protection regulator was the first to provide much-needed guidance in this area. It would be great to see other regulators follow their lead.”

More information

The Microsoft Cloud Computing Research Centre (MCCRC), a collaboration between the Cloud Legal Project at Queen Mary University of London and the Department of Computer Science and Technology, University of Cambridge. Find out more here.